gpg --card-status always create proxy private keys
alon.barlev at gmail.com
Mon Feb 13 22:49:54 CET 2017
On 13 February 2017 at 18:15, Peter Lebbing <peter at digitalbrains.com> wrote:
> I'm not up to speed on all the fine detail. But perhaps there is a
> different alternative that would work for you. GnuPG 2.1 has:
> $ gpg2 --expert --edit-key [KEYID]
> > addkey
> Please select what kind of key you want:
> (3) DSA (sign only)
> (4) RSA (sign only)
> (5) Elgamal (encrypt only)
> (6) RSA (encrypt only)
> (7) DSA (set your own capabilities)
> (8) RSA (set your own capabilities)
> (10) ECC (sign only)
> (11) ECC (set your own capabilities)
> (12) ECC (encrypt only)
> (13) Existing key
> Note option 13. You can use this to add an existing key from an OpenPGP
> smartcard as well. So if you want to add existing keys from a card
> infrastructure emulating an OpenPGP card, I think it could be integrated
> in the same way you can, now with 2.1, add existing keys on real OpenPGP
> cards. This was a workflow that didn't exist in 2.0.
Similar option was possible in 2.0 using addcardkey.
I checked this as well, and it actually works nicely.
However, it is insufficient...
I am unsure I like the master key to exist outside of the hardware...
This is egg and chicken as the master key cannot be enrolled per the
issue I am experiencing.
Also unfortunately, rpm does not support signing using subkeys.
Do you know other magics? I searched maybe to take a subkey and
promote it to primary key somehow... did not find sane sequence.
Maybe instead of "card-edit/generate" there should be "card-edit/use
existing" or something?
I still think that the simplest solution is to override whatever in
~/.gnupg/private-keys-v1.d and not fail if same key hash exists, this
requires a small code change of gnupg.
More information about the Gnupg-devel